SOC 2 is, for most EU companies that pursue it, a market access requirement. Not a security improvement. That distinction matters because it determines how you should invest, what you should expect from the process, and when you should simply decline the request.
The situation is straightforward: US enterprise procurement teams ask for SOC 2 reports. They ask because their internal vendor risk policies require them. They ask because the AICPA's Trust Services Criteria provide a familiar evaluation framework that their risk teams understand. And they ask because, in the US market, SOC 2 has become the default language of trust between B2B software companies and their customers. ISO 27001 is respected but not sufficient — many US procurement teams treat it as a general governance signal rather than the specific, controls-level assurance that a SOC 2 Type II report provides.
For an EU company that already maintains ISO 27001 certification, the question is not whether SOC 2 adds security value. It largely does not. The question is whether the commercial return from US market access justifies the incremental investment. Sometimes it does. Sometimes it clearly does not. This post helps you make that determination honestly.
Why US Procurement Teams Ask for SOC 2
Understanding the demand is essential to responding intelligently.
SOC 2 reports exist because of a specific gap in the US regulatory and market landscape. The United States lacks a comprehensive, cross-sector data protection regulation equivalent to GDPR. It lacks a mandatory cybersecurity risk-management framework equivalent to NIS2. In the absence of regulatory mandates, the market developed its own assurance mechanism: independent auditor attestation against the AICPA's Trust Services Criteria.
A SOC 2 Type II report tells a prospective customer three things. First, the service organisation has defined controls relevant to security, availability, processing integrity, confidentiality, or privacy. Second, those controls were in place during a specific audit period (typically 6-12 months). Third, an independent CPA firm tested those controls and found them operating effectively — or noted exceptions where they did not.
US enterprise risk teams parse these reports with considerable sophistication. They read the auditor's description of tests performed, they evaluate the nature and severity of any noted exceptions, and they assess whether the control environment addresses the specific risks relevant to the services they are procuring. A clean SOC 2 Type II report is not a rubber stamp — it is a structured conversation about control maturity, mediated by an independent auditor.
This is why ISO 27001 alone does not satisfy US procurement requirements, despite being a more comprehensive framework in many respects. ISO 27001 certification confirms that an information security management system exists and conforms to the standard's requirements. But the certification itself does not describe specific controls, their operating effectiveness over a period, or exceptions identified during testing. The ISO 27001 certificate is a binary signal — certified or not. The SOC 2 report is a detailed narrative.
SOC 2 vs ISO 27001: What Is Actually Different
The frameworks differ in structure, evidence model, and audience. Understanding these differences clarifies the effort required to bridge from one to the other.
Criteria vs controls. SOC 2 is organised around five Trust Services Criteria: security (always required), availability, processing integrity, confidentiality, and privacy. The service organisation selects which criteria are in scope based on the services provided. Within each criterion, the organisation defines its own controls. ISO 27001 is organised around Annex A controls — 93 specific controls in the 2022 edition. The organisation selects applicable controls through a risk-based Statement of Applicability.
The practical difference: SOC 2 gives you more flexibility in how you define and describe controls, but your auditor must be satisfied that your controls, as described, address the criteria. ISO 27001 provides a prescriptive control catalogue, but allows exclusion of non-applicable controls. An organisation with ISO 27001 already has controls that map to most SOC 2 criteria. The work is in re-describing them in SOC 2's language and evidence model.
Point-in-time vs period-of-time. SOC 2 Type I reports assess control design at a point in time. Type II reports — the ones US procurement teams actually want — assess operating effectiveness over a period, typically 6 or 12 months. ISO 27001 surveillance audits assess conformity annually but are not structured as period-of-time attestations of control effectiveness. The SOC 2 Type II requirement means your auditor will sample evidence from across the audit period — access reviews performed quarterly, change management tickets from different months, incident response evidence from actual incidents. You need to demonstrate consistency, not just existence.
Report granularity. An ISO 27001 certificate is a one-page document. A SOC 2 Type II report is typically 80-150 pages. It includes a management assertion, the auditor's opinion, a detailed description of the service organisation's system (infrastructure, software, people, procedures, data), the specific controls in place, and the auditor's tests and results. US procurement teams read these reports. They expect specificity. Vague control descriptions or limited testing scope raise questions.
Audience and distribution. ISO 27001 certificates are public. SOC 2 reports are restricted — distributed under NDA to current and prospective customers. This distinction matters for how you use each in your go-to-market strategy. Your trust center can display ISO 27001 certification publicly while making SOC 2 reports available to authenticated, NDA-bound prospects.
When SOC 2 Makes Sense for EU Companies
The decision framework is primarily commercial, not technical.
US revenue exceeds 30% of total revenue, or you have explicit US expansion goals. If a material portion of your revenue comes from US enterprise customers, SOC 2 is a cost of market participation. Every US enterprise deal that stalls in procurement because you lack a SOC 2 report has a quantifiable revenue impact. When enough deals stall, the SOC 2 investment pays for itself.
You sell B2B SaaS to enterprises. SMB and mid-market US customers rarely require SOC 2. Enterprise procurement teams — companies with 1,000+ employees, formal vendor risk programmes, and dedicated third-party risk teams — almost always do. If your ideal customer profile is enterprise, SOC 2 is table stakes.
Your product handles sensitive customer data. If you process, store, or transmit customer data that could cause material harm if compromised — financial data, healthcare data, personal data at scale, intellectual property — US customers expect SOC 2 as a minimum. Their own regulatory obligations (SOX, HIPAA, state privacy laws) require them to assess the controls of their service providers, and SOC 2 is the accepted mechanism.
You compete against US-based vendors. If your competitors hold SOC 2 reports and you do not, you start every enterprise deal at a disadvantage. US procurement teams have a standard evaluation checklist. Missing SOC 2 certification does not disqualify you, but it creates friction, extends deal cycles, and sometimes shifts the conversation to custom security assessments that cost more time and effort than the SOC 2 investment would have.
The Belgian SaaS company that pursued SOC 2 through FortisEU's platform illustrates the pattern: ISO 27001 certified, strong EU compliance posture, but repeatedly losing US enterprise deals to SOC 2-equipped competitors.
When SOC 2 Does Not Make Sense
Equally important: recognising when the investment is not justified.
Your market is EU-only. European enterprise customers ask for ISO 27001, sometimes for NIS2 compliance evidence, occasionally for sector-specific certifications. They almost never ask for SOC 2. If your revenue is entirely EU-derived and your growth strategy targets EU markets, SOC 2 is a solution to a problem you do not have.
You operate in a sector with prescriptive regulatory frameworks. If your customers are financial institutions subject to DORA, healthcare entities subject to national health data regulations, or critical infrastructure operators subject to NIS2 sector-specific requirements, their vendor assessment frameworks are likely tied to those regulatory requirements rather than to SOC 2. A DORA-regulated financial institution needs to see your DORA Article 28 contractual provisions and your register of information entry, not your SOC 2 report.
Your product does not handle sensitive data. If you provide a developer tool, an analytics platform, or a productivity application that processes only metadata or non-sensitive operational data, the risk profile may not warrant SOC 2 investment. US customers may accept ISO 27001 certification and a completed security questionnaire for lower-risk services.
The cost exceeds the commercial opportunity. SOC 2 readiness and audit for an EU company with existing ISO 27001 typically costs EUR 40,000-80,000 in the first year (readiness gap remediation, auditor fees, evidence system setup) and EUR 25,000-40,000 annually thereafter (audit fees, evidence maintenance). If your US revenue pipeline does not justify that investment within 12-18 months, defer it.
The Practical Path: ISO 27001 as Foundation, SOC 2 as Overlay
For EU companies that have decided SOC 2 is commercially justified, the most efficient path leverages existing ISO 27001 controls as the foundation.
Step 1: Map your existing controls. Take your ISO 27001:2022 Statement of Applicability and map each Annex A control to the relevant SOC 2 Trust Services Criteria. Approximately 70-75% of your existing controls will map directly to SOC 2 common criteria (CC) requirements. Access control (A.5.15-A.5.18) maps to CC6.1-CC6.3. Change management (A.8.32) maps to CC8.1. Incident response (A.5.24-A.5.27) maps to CC7.3-CC7.5. Risk assessment (clause 6.1.2) maps to CC3.1-CC3.4.
Step 2: Identify gaps. The gaps typically fall in specific areas. SOC 2 expects a formal system description that defines the boundaries of the service being attested — infrastructure, software, people, procedures, and data flows. ISO 27001 has scope definition but not at the same level of system description specificity. SOC 2's availability and processing integrity criteria may require controls not explicitly covered by your ISO 27001 scope — uptime monitoring, capacity planning, data processing accuracy verification. SOC 2's evidence expectations differ in granularity and sampling approach from ISO 27001 surveillance audits.
Step 3: Extend, do not rebuild. Close the gaps by extending your existing control framework, not by creating a parallel one. Add the system description as a living document maintained alongside your ISMS documentation. Extend your evidence collection to capture the period-of-time evidence that SOC 2 Type II requires — quarterly access reviews with completion dates, change management tickets with approval timestamps, monitoring alert logs with response times. Automated evidence collection tools designed for multi-framework compliance make this extension significantly less painful than manual evidence gathering.
Step 4: Select your auditor carefully. Not all CPA firms are equal for EU-based SOC 2 engagements. Select a firm with experience auditing EU companies, familiarity with GDPR requirements that intersect with SOC 2 privacy criteria, and pragmatic understanding of how EU infrastructure and operational models differ from US patterns. The Big Four all have EU practices that handle SOC 2, but mid-tier firms with specialised technology audit practices often provide better value and more attentive service for growth-stage SaaS companies.
Step 5: Start with Type I, then move to Type II. A SOC 2 Type I report — assessing control design at a point in time — can be completed in 2-3 months and satisfies many procurement requirements in the short term. It buys you time to build the 6-12 month evidence trail needed for a Type II report while unblocking current deals.
GDPR and SOC 2: The Data Processing Considerations
EU companies pursuing SOC 2 face a specific challenge that US companies do not: the interaction between SOC 2 audit requirements and GDPR data protection obligations.
SOC 2 auditors test controls by examining evidence, which may include system screenshots, access logs, change management records, and incident reports. Some of this evidence may contain personal data — user email addresses in access logs, employee names in change management tickets, customer identifiers in incident reports. EU companies must ensure that evidence shared with SOC 2 auditors does not create GDPR compliance issues.
The practical solutions are straightforward but must be planned. Ensure your SOC 2 auditor is engaged under a data processing agreement that covers any personal data they access during the audit. Redact personal data from evidence samples where feasible without compromising the evidence's probative value — auditors generally accept redacted samples provided the redaction is consistent and explained. Where your SOC 2 report includes system descriptions that reference personal data processing, ensure alignment with your GDPR Article 30 records of processing activities.
If you include the privacy Trust Services Criteria in your SOC 2 scope, the interaction becomes more substantive. The AICPA's privacy criteria reference "personal information" as defined under US frameworks. GDPR's definition of "personal data" is broader in some respects. Your control descriptions and system description should acknowledge GDPR obligations explicitly, demonstrating to US customers that you operate under a regulatory framework that exceeds the baseline privacy expectations of SOC 2.
This is actually a competitive advantage. EU companies pursuing SOC 2 can position their GDPR compliance as additive — "we operate under one of the world's most comprehensive data protection frameworks, and our SOC 2 report provides independent assurance of our controls." That narrative resonates with US enterprise customers who are increasingly conscious of data protection risk.
Timeline and Cost Expectations for EU Companies
For an EU company with existing ISO 27001:2022 certification, realistic timelines and costs are as follows.
SOC 2 readiness: 3-4 months. Gap analysis, system description development, evidence collection process design, gap remediation for controls not covered by ISO 27001 scope. This can run in parallel with normal operations and does not require a dedicated project team — typically 0.5 FTE of security/compliance staff time plus an external advisor.
SOC 2 Type I audit: 2-3 months. Auditor engagement, fieldwork, report issuance. Type I fieldwork is typically 2-3 weeks of active auditor involvement.
SOC 2 Type II audit period: 6-12 months. The clock starts once your controls are operational. During this period, you collect evidence of control operation. At the end, the auditor performs Type II fieldwork — typically 3-4 weeks — sampling evidence from across the period.
Total timeline from decision to Type II report: 12-18 months. This can be compressed to 9-12 months with aggressive execution, but rushing risks audit findings that undermine the report's value.
Cost breakdown:
- Readiness advisory (optional but recommended): EUR 15,000-25,000
- Type I audit fees: EUR 20,000-35,000
- Type II audit fees: EUR 25,000-45,000
- Evidence management tooling: EUR 5,000-15,000 annually
- Internal staff time: approximately 400-600 hours across the full cycle
For subsequent years, the annual cost drops to Type II audit fees plus evidence maintenance — EUR 30,000-50,000 total, assuming no major scope changes.
These figures assume a SaaS company with a single primary product, a single cloud infrastructure provider, and 50-200 employees. Larger organisations, multiple products, or complex multi-cloud architectures increase audit scope and cost proportionally.
Key Takeaways
SOC 2 is a market access decision, not a security decision. For most EU companies with ISO 27001, SOC 2 adds minimal security improvement. Its value is commercial — unlocking US enterprise revenue that would otherwise be lost to procurement friction.
The threshold is clear. If US enterprise revenue exceeds 30% of total revenue, or if you compete against US-based vendors for enterprise deals, SOC 2 is likely justified. If your market is EU-only or your customers are regulated by sector-specific frameworks, it probably is not.
ISO 27001 is the foundation. Approximately 70-75% of SOC 2 requirements are already satisfied by a mature ISO 27001:2022 implementation. The incremental effort focuses on system description, period-of-time evidence collection, and gap controls for availability and processing integrity.
Plan for 12-18 months from decision to Type II report. Start with Type I to unblock current deals, then build the evidence trail for Type II. First-year investment is EUR 40,000-80,000; subsequent years drop to EUR 30,000-50,000.
GDPR is a competitive advantage, not an obstacle. EU companies can position their comprehensive data protection obligations as additive assurance. US enterprise customers increasingly value the regulatory maturity that GDPR compliance represents.
Treat SOC 2 as a commercial investment with measurable ROI. Track deal velocity before and after SOC 2 availability. If the report is not measurably accelerating US enterprise revenue within 12 months of issuance, re-evaluate the investment.